Krebs on Security

In-depth security news and investigation

Wash. Hospital Hit By $1.03 Million Cyberheist

Organized hackers in Ukraine and Russia stole more than $1 million from a public hospital in Washington state earlier this month. The costly cyberheist was carried out with the help of nearly 100 different accomplices in the United States who were hired through work-at-home job scams run by a crime gang that has been fleecing businesses for the past five years.

Last Friday, The Wenatchatee World broke the news of the heist, which struck Chelan County Public Hospital No. 1, one of several hospitals managed by the Cascade Medical Center in Leavenworth, Wash. The publication said the attack occurred on Apr. 19, and moved an estimated $1.03 million out of the hospital’s payroll account into 96 different bank accounts, mostly at banks in the Midwest and East Coast.

On Wednesday of last week, I began alerting the hospital that it had apparently been breached. Neither the hospital nor the staff at Cascade Medical returned repeated calls. I reached out to the two entities because I’d spoken with two unwitting accomplices who were used in the scam, and who reported helping to launder more than $14,000 siphoned from the hospital’s accounts.

Jesus Contreras, a 31-year-old from San Bernadino, Calif., had been out of work for more than two months when he received an email from a company calling itself Best Inc. and supposedly located in Melbourne, Australia. Best Inc. presented itself as a software development firm, and told Contreras it’d found his resume on Careerbuilders.com. Contreras said the firm told him that he’d qualified for a work-at-home job that involved forwarding payments to software developers who worked for the company’s overseas partners.

Could he start right away? All he needed was a home computer. He could keep eight percent of any transfers he made on behalf of the company. Contreras said he was desperate to find work since he got laid off in February from his previous job, which was doing inventory for an airplane parts company.

Best Inc. Website

His boss at Best Inc., a woman with a European accent who went by the name Erin Foster, called Contreras and conducted a phone interview in which she asked about his prior experience and work-life balance expectations. In short order, he was hired. His first assignment: To produce a report on the commercial real estate market in Southern California. Contreras said Ms. Foster told him that their employer was thinking of opening up an office in the area.

On Monday, Apr. 22 — shortly after he turned in his research assignment — Contreras received his first (and last) task from his employer: Take the $9,180 just deposited into his account and send nearly equal parts via Western Union and Moneygram to four individuals, two who were located in Russia and the other pair in Ukraine. After the wire fees — which were to come out of his commission — Contreras said he had about $100 left over.

“I’m asking myself how I fell for this because the money seemed too good to be true,” Contreras said. “But we’ve got bills piling up, and my dad has hospital bills. I didn’t have much money in my account, so I figured what did I have to lose? I had no idea I would be a part of something like this.”

A small, but significant part, as it happens. Contreras never got to use any of his meager earnings: His financial institution, Bank of America, froze his account and seized what little funds he had in it.

Meanwhile, the Chelan County treasurer’s office is struggling to claw back the fraudulent transfers. According to press reports, roughly $133,000 of the lost funds have been recovered so far, and it may take at least 30 days to learn how much was actually lost.

Some observations about this crime:

-It could have been far worse of a loss. The Chelan County bank accounts that were hacked also are used to administer 54 other junior taxing districts in the county. My guess is this attack would have been worse, but that the fraudsters simply exhausted their supply of money mules.

-Just as real-life bank robbers are restricted in what they can steal by the amount of loot that they can physically haul away from the scene of the crime, the crooks behind these cyberheists are limited in how much they can steal to how many money mules they can recruit to help launder the fraudulent transfers. That’s because unless the mules have access to business accounts that can receive and forward much larger wire transfers, the amounts sent to mules typically range from just below $5,000 to slightly less than $10,000. Edwin Walker of Alpharetta, Ga. — another mule who unwittingly helped launder money for Best Inc. — received and processed a $4,970 transfer on April 20. And while available mules may be a bottleneck for this type of crime, this group appears to have a well-oiled mule-recruitment machine going 24/7.

-Mr. Contreras’ erstwhile employer, Best Inc., is part of a transnational organized cybercriminal gang operating in Russia and Ukraine. Its distinguishing feature is that it operates its own money mule recruitment division. This eliminates the middle man and increases the gang’s overall haul from any cyberheist. “Cashing out” hacked accounts is a complex, time-consuming process that is normally contracted out to third party criminal operations, which can take anywhere from 40-60 percent of the haul for their trouble.

-This gang uses several telltale signatures in its operations, and has been hitting small to mid-sized organizations for the past five years at least. They’ve stolen many, many times more than the millions taken from Chelan County, from hundreds of victim organizations. In fact, this gang appears to have been involved in nearly every cyberheist I have written about for the past four years.

-Mr. Contreras is something of an oddity: A West Coast money mule. The mule recruitment gangs generally prefer to hire mules that are on the East Coast or in the Midwest. That’s because mules on the West Coast are not particularly attractive for cashing out accounts from victim banks and businesses that open several hours before the banks on the West Coast; time is money, and in this business, the more time that elapses before the mules can withdraw and move the stolen funds, the more likely the victim and its bank will be able to claw back the fraudulent transfers.

-The reporting so far includes no information about the victim’s bank, or what kinds of security procedures they may have required of Chelan County for moving large sums of money. But my guess is it was a small to regional bank, and there were few security hurdles for the bad guys to overcome, aside from maybe a one-time token and a password. But that is just speculation based on lots of experience reporting on these crimes.

Broken record alert:If you are running a small business and managing your accounts online, you’d be wise to expect a similar attack on your own accounts and prepare accordingly. That means taking your business to a bank that offers more than just usernames, passwords and tokens for security. Shop around for a bank that lets you secure your transfers with some sort of out-of-band authentication (a text message sent to a mobile device, for example). These security methods can be defeated of course, but they present an extra hurdle for the bad guys, who probably are more likely to go after the lower-hanging fruit at thousands of other financial institutions that don’t offer more modern security approaches.

But if you’re expecting your bank to protect your assets should you or one of your employees fall victim to a malware phishing scheme, you could be in for a rude awakening. Keep a close eye on your books, require that more than one employee sign off on all large transfers, and consider adopting some of these: Online Banking Best Practices for Businesses.

This entry was posted on Tuesday, April 30th, 2013 at 10:41 am and is filed under A Little Sunshine, Target: Small Businesses.
You can follow any comments to this entry through the RSS 2.0 feed.
Both comments and pings are currently closed.

I am sure it’s a matter of time before they find these people. But, honestly, the cybercrime people change IDs and accounts quicker than most change undergarments.

They probably reside in an area where they ‘seem” safe from a 3rd world prosecution. They use Western Union and other type of transfers because most are nearly impossible to trace back. All they need is an employee overseas somewhere that can process the incoming cash, maybe get some kickbacks and they are happy. IF the Feds show up all the employee has to say is, I looked at the ID and it matched what was on the account.

I’ve seen this same operation about checks as well. Out of work? Here cash these checks and buy these specific items and mail it to this person at this address. The check the person cashes may have the correct name and address on it, but the bank account and routing numbers are from a different account. The money mule scam seems to have a lot of different methods to withdraw funds from victims.

Banking institutions USUALLY have you wait 2-5 days once you deposit a check over a certain amount. The individual stands in line, with cameras on them, with a vaild check and a valid ID and honorable intentions and gets to jump through hoops.

As for the other side of that, there seems to be no 2-5 day hold of funds being withdrawn. Its an EASY fix. All some one has to do is open up two secure clearing houses for Financial Institutions to use. One is for B2B operations and the other is for residents. Its sole purpose is to place a 3-5 day hold on funds, and the sender gets credit for making payments on time if done in good faith.

The users can set up a “whitelist” of people they want thier banking accounts to send funds to. Residents can limit where their funds go to – eg; they can pay the bills, but not allow funds to leave the USA.

It would take a little bit of work, sure, but how much less would it cost the united states alone in lost revenue?

Its just one way of thinking out of the box; becuase what we currently have in hand is definately broke, but the criminals know that, and will exploit it until the cow runs dry.

Maybe it would be better for folks to reconsider the need for online banking in the first place. I know it sounds ludicrous but it maybe a viable option for some. Plus if there was a way to only see you bank balance but not be able to move funds that would also be ok as well. Many people may not know how to properly secure their system against attacks so stopping them from doing online banking maybe a good idea.

I respect the fact that Mr Krebs has given some solid advice about how to securely preform online banking but I feel the average folk may not know or worse may not care to take the required actions.

“The Automated Clearing House is a secure, private electronic payment transfer system that connects all U.S. financial institutions.”

The site (www.ach.com) referenced in the Wenatchee newspaper article, flies many red flags (last news dated 4/11, total of 7 forum posts, no ownership or contact, etc.) that should have given pause to anyone researching them as their money “handler”.

Could it be that this “secure, private…system” handling $trillions is without regulation, oversight or insurance?

That website is run by a private, for-profit company that provide ACH services to businesses. The ACH service is actually run by the Electronic Payments Association ( http://www.nacha.org/ ). Lazy websearching by the reporter or editor.

I can’t help but feel like people just don’t care if their money, or their employer’s money as the situation may be, gets stolen. Mew mew mew I work in accounting/HR I don’t comprehend computer security. We really need a certification process to permit people to use the internet.

In addition to following Brian Kreb’s Best Practices, sole proprietors, not-for-profits, and small businesses may apply for CyberHeist insurance at http://www.cdiaus.com for as little as $100 per year.

As well as recruiting money mules using email spam, we’re seeing a recent spike in SMS spam offering “work from home” opportunities. In the last 7 days, 20% of the SMS spam reported to the GSMA’s 7726 Spam Reporting Service in the United States has been of this type, and another 31% has been bank phishing.

I hope you have given Chelan County Public Hospital No. 1 the contact information of Julie Rogers and Kim Dincel. Note that they have moved out from under Silicon Valley Law Group to start their own practice specializing in driving the point home to the kind of financial services institution that would let that hospital be taken for over $1 million that they were not employing “commercially reasonable security procedures” that were “executed in good faith” (to quote the words of Section 4A of the Uniform Commercial Code). However, Julie and Kim can still be reached via SVLG.

Yes, Choice Escrow did lose its case against Bankcorp South, but only because of an unlikely-to-be-repeated set of facts that exactly matched up against the one “out” that UCC-4A offers to cyber-security-slacker banks. And that case was still wrongfully decided because the “superior security procedure” offered by Bankcorp South was not itself “commercially reasonable security” because it had been beaten years earlier.

What small organizations need is not to abandon online banking, but refuse to keep money in any bank that does not stand behind its fraud controls with a money-back guarantee. Banks that don’t offer such a guarantee only get commercial business because they fail to disclose the risks that banking online at their institutions exposes their customers to.

In any case, as I noted in my testimony before the Subcommittee on Capital Markets of the House Committee on Financial Services last June, commercial-account online banking funds transfer fraud is a totally beatable kind of attack because it is commercially motivated. Good-faith execution of the FFIEC’s 2005 and 2011 Guidances can easily make it cost more than $1 to steal a buck from America’s churches, school districts, public libraries, medical practices, charities, and small businesses. The Ukrainians are not the Chinese government going after our defense secrets. They are “commercially” motivated actors. Gartner, Inc.’s Avivah Litan has identified five different layers of fraud control. Pick one from Layer 1 and 1 from layers 2 or 3 and the bad guys will certainly bypass your F.I. and go after an account at one that not so hard a target. Or they will as long as you only select solutions that obey the “Krebs Rule” (= they work even if the PC used for online banking is totally under enemy control). Actually, the transaction patterns associated with all these crimes are so totally anomalous that even just one solution out of Ms. Litan’s Layers 1, 2, or 3 would have beaten them all.

It’s the Russians again! Historically, half of the crime in the world has been done by those pigs. I try my best not to criticize them like that – there are good Russians too – but most simply have the eat, steal, kill, and die mentality.